On Thu, Aug 20, 2009 at 9:25 PM, Josh Kline<[email protected]> wrote:
> Dear dtrace gurus,
>
> I am new to dtrace and am trying to use it to investigate unexpected
> changes in file ownership.
> How do I find out the name of the file being chowned?
You need to use copyinstr(). A trivial example is:
$ dtrace -n 'syscall::chown:entry { trace(copyinstr(arg0)) }'
dtrace: description 'syscall::chown:entry ' matched 1 probe
CPU ID FUNCTION:NAME
4 7879 chown:entry /dev/pts/17
4 7879 chown:entry /dev/pts/17
4 7879 chown:entry /dev/pts/17
>
> So far I have:
> /* chown.d */
> BEGIN
> {
> trace("beginning!");
> }
>
> syscall::chown:entry,
> syscall::fchown:entry,
> syscall::lchown:entry
> / execname != "gconfd-2" /
> {
> printf("execname=%s, pid=%d\n", execname, pid);
> printf( "\t\tpath=%d, owner=%d, group=%d\n",
> arg0, arg1, arg2 );
copyinstr(arg0), ...
> stack();
> }
>
> END
> {
> trace ("ending!");
> }
> /* end chown.d */
> (sample output below)
>
> I expect the first argument (arg0) to chown to be the name of the file.
> However, I get an integer instead.
> I assume this is a char pointer, or an inode, or some other data structure.
>
> I am using solaris 10 update 7.
You will need special handling for fchown because arg0 is going to be
a file descriptor. You will need to use fds[arg0].fi_pathname to get
at the path. In this case, you don't need to use copyinstr() because
that memory is already in the kernel - no copyin() is required to get
it there.
--
Mike Gerdts
http://mgerdts.blogspot.com/
_______________________________________________
dtrace-discuss mailing list
[email protected]
